The rise of mobile malware in the last few years has been well documented, and the latest reports show that malware sending out text messages to premium rate numbers is the type users encounter most often.

This prevalence will likely not be challenged for a while - after all, there are not many crooks who would say no to a fast and easy buck - but users must be aware that new malicious software with as of yet unimaginable capabilities will surface in time.

One of these malicious programs has recently been unearthed, but luckily for all of us the Trojan posing as a camera app is currently only a prototype created by a team of researchers from the Naval Surface Warfare Center in Indiana and the Indiana University.

The name of the malware in question is PlaceRaider, and its goal is to surreptitiously take photos with Android smartphones' built-in camera in order for attackers to be able to recreate a 3D model of the user's indoor environment and steal all kinds of information (click on the screenshot to enlarge it):

"Once the visual data has been transferred and reconstructed into a 3D model, the remote attacker can surveil the target’s private home or work space, and engage in virtual theft by exploring, viewing, and stealing the contents of visible objects including sensitive documents, personal photographs, and computer monitors," the researchers explained in a recently released paper.

They tested their Trojan on 20 individuals by giving them infected devices. As they went through their day, the malware would take hundreds of photos (along with orientation and acceleration sensor data) and, after filtering out the uninformative ones, would send the remaining ones to the researchers' remote server.

The victims were oblivious to the Trojan's activities, as the malware is designed to mute the sound of the camera's shutter.

With the images in hand, the researchers then used a computer vision algorithm to generate a rich 3D model, which can be inspected very closely for valuable information.

The PoC Trojan has been designed for the Android platform, and the scary part is that the permissions it asks - to access the camera, to write to external storage, to connect to the network, to change audio settings - can easily be seen as legitimate when the malware is packaged within an attractive camera app.

The researchers have proved that it is highly likely that successful "visual" Trojans such as this one will eventually find their way into the wild, so in order to prevent users from becoming targets they advise them to get apps only from trusted software developers.

Among other things, hardware manufacturers are advised to implement a shutter sound that can't be muted, and possibly even to make the taking of photos possible only when a physical button is pressed; and Google and Apple (developers of Android and iOS) are urged to make apps also ask permission to collect acceleration and gyroscope data.

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.